As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle WebLogic Server 10.3.6

Product: Oracle WebLogic Server 10.3.6.0.0

Subcomponent(s): TopLink Integration, Core, Console, Web Services

Patch Number: 32403651

 Vulnerability Details: Both easily exploitable and difficult to exploit vulnerabilities allowing unauthenticated or high privileged attackers with network access via HTTP, HTTPS, T3, or IIOP to compromise Oracle WebLogic Server.  Some successful attacks require human interaction from a person other than the attacker.  While the vulnerability is in Oracle WebLogic Server these attacks could significantly impact other products.  

Successful attacks can result in:

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data 

• unauthorized read access to a subset of Oracle WebLogic Server accessible data

• unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server

Java SE 7

Product: Java SE 7

Subcomponent(s): Libraries 

 Patch Number: 32464070

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition.  Some of the attacks require additional human interaction but not all.  

 Successful attacks can result in:

• unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data.

Oracle Solaris

Product: Oracle Solaris

 Subcomponent(s): Kernel

 Patch Number: 11.4.30.88.3

 Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

 Successful attacks can result in:

• Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris as well as unauthorized update, insert or delete access to some of Oracle Solaris accessible data.

Oracle Coherence

Product: Oracle Coherence

 Subcomponent(s): Core

 Patch Number: 32581736

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Coherence. 

 Successful attacks can result in:

• Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE 7

Product: Java SE 7

 Subcomponent(s): Libraries

 Patch Number: 13079846

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.

 Successful attacks can result in:

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Java SE 8

Product: Java SE 8

 Subcomponent(s): Libraries

 Patch Number: 18143322

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.

 Successful attacks can result in:

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Oracle BI Publisher 11.1.1.9.0, 12.2.1.3.0

Product: Oracle BI Publisher 11.1.1.9.0, Oracle BI Publisher 12.2.1.3.0

Subcomponent(s): Administration, BI Publisher Security, E-Business Suite - XDO, Web Server

Patch Number: 32310890 (11.1.1.9.0), 32294042 (12.2.1.3)

Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data

• Unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle BI Publisher

Oracle WebLogic Server 10.3.6

Product: Oracle WebLogic Server 10.3.6.0.0

Subcomponent(s): Web Services, Core Components, Samples, Console, Console (Apache Common Beanutils), Sample Apps (Spring Framework)

Patch Number: 32052267, 32134024

Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privilege, or high privilege attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server. 

Difficult to exploit vulnerability allows a low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server.

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.

Oracle WebLogic Server 12.2.1.3

Product: Oracle WebLogic Server 12.2.1.3

Subcomponent(s): Core Components (Connect2id Nimbus JOSE+JWT), Core Components, Samples, Console (Apache Commons Beanutils), Console, Sample Apps (Spring Framework), Sample Apps (jQuery), Centralized Thirdparty Jars (Google Guava)

Patch Number: 32300397, 32148634

Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privileged, and high privileged attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server. 

Difficult to exploit vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of Oracle WebLogic Server.

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data.

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE 7

Subcomponent(s): Hotspot, JNDI, Libraries, Serialization

 Patch Number: 13079846

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.

 Successful attacks can result in:

• unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

• unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded

Java SE 8

Subcomponent(s): Hotspot, JNDI, Libraries, Serialization

 Patch Number: 18143322

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.

 Successful attacks can result in:

• unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

• unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded

WebLogic Server 12.2.1.3

Subcomponent(s): Centralized Thirdparty Jars, Console, Core, Web Services, jQuery

 Patch Number: Patchset 31961038

 Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3  to compromise Oracle WebLogic Server.  Some successful attacks would require human interaction from someone other than the attacker to be successful.  While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.

 Successful attacks can result in:

• takeover of Oracle WebLogic Server

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• unauthorized creation, insert, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as 

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

WebLogic Server 10.3.6

Subcomponent(s): Console, Core, jQuery, Apache Log4j

 Patch Number: Patchset: 31641257

 Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3  to compromise Oracle WebLogic Server.  Some successful attacks would require human interaction from someone other than the attacker to be successful.  While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.  There is another difficult to exploit vulnerability that allows for an unauthenticated attacker with network access via SMTPS to compromise Oracle WebLogic Server.

 Successful attacks can result in:

• takeover of Oracle WebLogic Server

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

• unauthorized read access to a subset of Oracle WebLogic Server accessible data

Oracle Access Manager 11.1.2.3.0

Subcomponent(s): Web Server Plugin (RSA BSafe)

 Patch Number: 31710235 

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Access Manager

 Successful attacks can result in:

• Takeover of Oracle Access Manager

Oracle BI Publisher 12.2.1.3.0

Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service, BI Publisher Security (jQuery)

 Patch Number: 31690029

 Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.

 Successful attacks can result in:

• Complete access to all BI Publisher accessible data

• Unauthorized update, insert, and/or delete access to some BI Publisher accessible data

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle BI Publisher 11.1.1.9.0

Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service

 Patch Number: 31943269

 Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.

 Successful attacks can result in:

• Complete access to all BI Publisher accessible data

• Unauthorized update, insert, and/or delete access to some BI Publisher accessible data

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle Solaris 11.4

Subcomponent(s): Pluggable authentication module, Kernel, Filesystem, Utility

 Patch Number: 11.4.26.75.4

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.  Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Difficult to exploit vulnerability allows low privileged attackers with network access via SSH to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.

 Successful attacks can result in:

• the takeover of Oracle Solaris

• unauthorized access to critical data or complete access to all Oracle Solaris accessible data 

• unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris

• unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• unauthorized update, insert or delete access to some of Oracle Solaris accessible data

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle BI Publisher 11.1.1.9.0

Subcomponent(s): Mobile Service, Layout Templates

 Patch Number: 31525202

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle BI Publisher 12.2.1.3.0

 Subcomponent(s): Mobile Service, Layout Templates, BI Publisher Security

Patch Number: 31525202, 31178889

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle Solaris

Subcomponent(s): Kernel, Operating System Image, Packaging Scripts,libsuri, Device Driver Utility,

 Patch Number: 11.4.23.69.3

 Vulnerability Details:

• Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

• Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Solaris.

• Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle ZFS Storage Appliance Kit.

• Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized read access to a subset of Oracle Solaris accessible data

• Takeover of Oracle ZFS Storage Appliance Kit

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data

• Takeover of Oracle Solaris

Oracle Unified Directory 11.1.2.3.0

Subcomponent(s): Security

 Patch Number: 31541461

 Vulnerability Details: Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle Unified Directory. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Unified Directory, attacks may significantly impact additional products.

 Successful attacks can result in:

• Unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Unified Directory

WebLogic Server 10.3.6

Subcomponent(s): Security Service, Core, Console, Log4j, Web Container, Web Services

 Patch Number: Patchset: 31178492,  ADR Patch: 31241365

 Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP,  or T3 to compromise Oracle WebLogic Server.  Some attacks require human interaction and this variety of attack may significantly impact other products despite the vulnerability being in WebLogic Server.  Attackers exploiting these vulnerabilities have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of WebLogic Server

• Unauthorized creation, deletion or modification access to all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

WebLogic Server 12.2.1.3

Subcomponent(s): Centralized Thirdparty Jars (jackson-databind), Security Service, Core, Centralized Thirdparty Jars (Log4j), Console (Log4j), Web Container, Sample apps, Web Services

 Patch Number: Patchset: 31535411, ADR Patch: 31544340

 Vulnerability Details: Easily exploitable vulnerabilities that  allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, T3 to compromise Oracle WebLogic Server. Attackers exploiting these vulnerabilities can cause the system to have confidentiality, integrity and availability impacts.  Attacks exist that require human interaction however for these attacks despite the vulnerability being in WebLogic Server the attack could significantly impact other available products.  Difficult to exploit vulnerabilities that require human interaction which allows an unauthenticated attacker via HTTP to compromise WebLogic Server.  Vulnerabilities of this type also have confidentiality, integrity, and availability impacts. 

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data

• Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

Java SE 7 

Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 13079846

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

Java SE 8

 Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 18143322

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle Solaris 11

Subcomponent(s): SMB Server Kernel Module, Operating System Image, jQuery, Oracle WebLogic Server, SMF command svcbundle, Whodo, Common Desktop Environment

 Patch Number: 31009799

 Vulnerability Details: Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit executes to compromise Sun ZFS Storage Appliance Kit. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in StorageTek Tape Analytics SW Tool, attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of Oracle Solaris, Sun ZFS Storage Appliance Kit, StorageTek Tape Analytics SW Tool

• Unauthorized update, insert or delete access to some of StorageTek Tape Analytics SW Tool accessible data as well as unauthorized read access to a subset of StorageTek Tape Analytics SW Tool accessible data

• Unauthorized read, update, insert or delete access to some of Oracle Solaris accessible data

WebLogic Server

Subcomponent(s): Console, Core, WLS Web Services, Management Services,

 Patch Number: 30857748

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Easily exploitable vulnerability allows high privileged attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Unauthenticated attackers with network access via HTTP can compromise Oracle WebLogic Server with human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities can result in system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server.

• Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

Java SE

Subcomponent(s): Libraries, JSSE, Concurrency, Lightweight HTTP Server, Security, Serialization

 Patch Number: 13079846

 Vulnerability Details: Vulnerabilities of varying difficulties allowing unauthorized and highly privileged attackers via multiple network protocols, T3, and HTTPS, to compromise Java SE and Java SE Embedded.  Vulnerability is in Java SE and Java SE embedded however attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have a variety of detrimental effects.

 Successful attacks can result in:

●       Takeover of Java SE, Java SE Embedded.

●       Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.

●       Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

●       Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Oracle HTTP Server

Subcomponent(s): Web Listener

 Patch Number: 31047338

 Vulnerability Details: Easily exploitable vulnerabilities allows unauthenticated attackers with network access via HTTP to compromise Oracle HTTP Server. Attacks can require human interaction from a person other than the attacker, or occur with a solo unauthenticated attacker. Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

●       Takeover of Oracle HTTP Server

●       Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data

●       unauthorized read access to a subset of Oracle HTTP Server accessible data.

Oracle Access Manager

Subcomponent(s): Federation, Authentication Engine, SSO Engine

Patch Number: 30609442

Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Access Manager. Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks of both types require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities confidentiality, integrity, and availability impacts and the following detrimental effects. 

 Successful attacks can result in:

●       Unauthorized update, insert or delete access to some of Oracle Access Manager accessible data

●       Unauthorized read access to a subset of Oracle Access Manager accessible data

●       Unauthorized ability to create partial Denial of Service

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle Identity Manager (OIM)

Product: Oracle Identity Management

 Subcomponent(s): Advanced Console

 Patch Number: 30338509 

 Vulnerability Details:  Supported versions affected are 11.1.2.3.0 and 12.2.1.3.0. An easily exploitable vulnerability allows a low privileged attacker with network access via HTTP to compromise Identity Manager.

 Successful attacks can result in:

• Unauthorized update, insert or delete access to some of Identity Manager’s accessible data

• Unauthorized read access to a subset of Identity Manager accessible data

WebLogic Server

Product: Oracle Weblogic Server

 Subcomponent(s): WLS Core Components, Application Container - Java EE, Console

 Patch Number: 30463097 - Estimated Availability January 31, 2020

 Vulnerability Details: Easily exploitable vulnerabilities that allow an unauthenticated attacker with network access via IIOP or T3 to compromise Oracle WebLogic Server. Easily exploitable vulnerabilities that allow a high privileged attacker with network access via HTTP or a logon to the infrastructure where Weblogic Server executes to compromise Oracle WebLogic Server.  Some vulnerabilities require human interaction, and while these the vulnerability is in Oracle Weblogic Server attacks might significantly impact additional products.

 Successful attacks can result in:

• Takeover of Weblogic Server

• Unauthorized access to critical data or complete access to all accessible data

• Unauthorized update, insert, or delete access to Weblogic accessible data

• Unauthorized read access to subset of Weblogic accessible data

• Unauthorized ability to cause partial denial of service

Java SE

Product: Java SE

 Subcomponent(s): Serialization, Security, Networking, Libraries

 Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete, and modify

• Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE

• Unauthenticated attacker with network access via Kerberos to compromise Java SE

Oracle HTTP Server

Product: Oracle Fusion Middleware

 Subcomponent(s): OSSL Module, Web Listener

 Patch Number: 30654519

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

 Successful attacks can result in:

•  Partial DOS of the HTTP Server

• Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data

Oracle Solaris

Product: Oracle Solaris 11

 Subcomponent(s): Consolidation Infrastructure,Filesystem,Kernel,X Window System,SMB Server

 Patch Number: 30681152, 30681156

 Vulnerability Details: Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMB to compromise Oracle Solaris

 Successful attacks can result in:

• Takeover of Oracle Solaris

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris

BI Publisher

Product: Oracle Business Intelligence Enterprise Edition

 Subcomponent(s): Analytics Server and Analytics Web General (OpenSSL)

 Patch Number: 30677050

 Vulnerability Details: 

Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Business Intelligence Enterprise Edition.

Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Product: Oracle Java SE

Component(s): RMI, Libraries, 2D

Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Ability to cause hangs or complete crashes of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete and modify.

Solaris

Product: Oracle Solaris

Component(s): IPS Package Manager, SunSSH, File Locking Services

Patch Number: 11.3.36.10.0

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols (including logon access) to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized read access to Solaris file systems

• Partial Denial of Service (DoS)

• Unauthorized complete manipulation of Solaris accessible data, including access, write, delete and modify

SOA

Product: Oracle SOA Suite

Component(s): Fabric Layer

Patch Number: 29625018

Vulnerability Details:

This patch update corrects vulnerabilities that allow unauthorized read access to a subset of Oracle SOA as well as grant an unauthenticated attacker with network access, via HTTP, the ability to compromise Oracle SOA.

Successful attacks can result in:

• Unauthorized Read access to Oracle SOA data

• Unauthenticated Attacker can compromise Oracle SOA

Weblogic

Product: Oracle Weblogic Server

Component(s): WLS Core Components, EJB Container, WLS Core Components

Patch Number: 27820719

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through HTTP and T3 to compromise Oracle Weblogic Server.

Successful attacks can result in:

• A takeover of Oracle WebLogic Server

BI Publisher (formerly XML Publisher)

Product: BI Publisher, version 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0

Subcomponent(s): BI Publisher Security

Patch Number: 29492717 

Vulnerability Details:

Easily exploitable vulnerability allows unauthenticated, high or low attacker with network access via HTTP to compromise BI Publisher. This vulnerability may impact additional products.

Successful Attacks can result in:

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized update, insert or delete access to some of BI Publisher accessible data.

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle HTTP Server (OHS)

Product: Oracle HTTP Server, version 12.2.1.3.0

Subcomponent(s): Web Listener (curl)

Patch Number: 29407043

Vulnerability Details:

The supported version affected is 12.2.1.3.0. An easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

Successful attacks can result in:

• Takeover of Oracle HTTP Server

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Component: Oracle Java SE 7

Sub-Component(s): Hotspot, JDNI, JSSE, Sound, Deployment(libpng), Security, Networking

Patch Number: 13079846

Vulnerability Details:

This Critical Patch Update contains 12 new security fixes for Oracle Java SE. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access, via multiple protocols, the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.

Successful attacks can result in:

• Partial Denial of Service of Java SE

• Unauthorized update, insert or delete access to some of Java SE

• Takeover of Java SE

WebLogic Server

Component: Oracle WebLogic Server (version 10.3.6.0)

Sub-Component: WLS Core, sample apps (Spring Framework), WLS Web Services, Console

Patch Number: 28343311

Vulnerability Details:

Easily exploitable vulnerabilities allow an unauthenticated attacker with network access via HTTP or T3 to compromise Oracle WebLogic Server. Successful exploitation of these vulnerabilities can result in takeover of Oracle WebLogic Server.

Oracle HTTP Server

Component: Oracle HTTP Server (version 12.2.1.3)

Sub-Component: Web Listener (curl)

Patch Number:  28281599

Vulnerability Details:

This difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle HTTP Server.

Oracle Identity Manager

Component: Oracle Identity Manager (versions 11.1.2.3.0 and 12.2.3.1.0)

Sub-Component: Installer (jackson-databind)

Patch Number: 28768324

Vulnerability Details:

This critical patch contains an important fix to a recently discovered vulnerability in Oracle Identity Manager. The vulnerability allows an attacker with HTTP access to the network to compromise OIM. Attacks can allow unauthorized read-access to a subset of Oracle Identity Manager accessible data, as well as the ability to cause partial denial of service of Oracle Identity Manager.

BI Publisher

Component: BI Publisher (versions 11.1.1.7.0, 11.1.1.9.0)

Sub-Component: BI Publisher Security (Apache Log4j)

Patch Number: 28632415 and 28632479 respectively

Vulnerability Details:

This critical patch contains a fix to an exploitable vulnerability. This issue allows an attacker to compromise Oracle Business Intelligence Publisher though the network via HTTP access. A successful attack would result in the takeover of Oracle Business Intelligence Publisher.

JRockit

Component: JRockit (version R28.3)

Sub-Components: Scripting, JNDI, JSEE, Sound

Patch Number: 28414796

Vulnerability Details: JNDI

This critical patch contains a fix to difficult to exploit vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Jrockit. Some attacks require human interaction from a person other than the attacker. Attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of JRockit

• Partial denial of service to JRockit

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Component: Oracle Java SE 7
Sub-Component(s): Hotspot, Security, AWT, Concurrency, JAXP, JMX, Serialization, RMI
Patch Number: 13079846
 
Vulnerability Details: 
There were 11 new vulnerabilities discovered in Java 7. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access via multiple protocols the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker, and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.

Successful attacks can result in:

• unauthorized read, update, insert or delete access to some of Java SE accessible data
• unauthorized creation, deletion or modification access to critical data or all Java SE accessible data
• unauthorized ability to cause a partial denial of service (DOS) of Java SE
• unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data
• takeover of Java SE, Java SE Embedded

Some vulnerabilities can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. They can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. Other vulnerabilities apply to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Component: Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
Sub-Component(s): WLS Security (Apache OpenJPA), WL Diagnostics Framework (Apache Log4j), Sample apps (jackson-databind), WLS Core Components
Patch Number: 27453773
 
Vulnerability Details: 
This Critical Patch contains three fixes for Oracle WebLogic Server version 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3. These vulnerabilities are easy to exploit, allowing unauthenticated attackers with network access via HTTP or T3 to:

• compromise Oracle WebLogic Server and perform a takeover of Oracle WebLogic Server 

This Critical Patch also contains a fix for Oracle WebLogic Server version 12.2.1.3. This vulnerability is easy to exploit, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server and: 

• gain unauthorized update, insert or delete access to some Oracle WebLogic Server accessible data
• gain unauthorized read access to a subset of Oracle WebLogic Server accessible data
• gain unauthorized ability to cause a partial denial of service (DOS) of Oracle WebLogic Server

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.